Professional Documents
Culture Documents
Page 1 of 10
Tasks to be undertaken:
For this assignment you will need to complete some practical tasks followed by a report based on
your practical tasks – you will need to follow the instructions carefully.
If you are not sure what you need to do or get stuck it is YOUR responsibility to ask for
support in plenty of time before the deadline.
As a reminder, any form of forensics will not be a quick process so you should plan your time
accordingly and commence working on the coursework ASAP.
An executive report with recommendations of 2,000 words, submitted as a PDF that uses Harvard
referencing, and uses appendices appropriately.
Page 2 of 10
Expanded Guidance on Task to be completed:
1. You will be provided with some files to use; you will be directed to set the files up together
so that they form a working network correctly. This step is important to get right, if you
don’t follow the steps you will not be able to complete any further tasks so make sure you
check you understand what to do! Don’t forget to start your contemporaneous notes as you
will need to write about how you setup the network at the beginning of your report.
2. You will need to perform some network forensics on the network/provided files, ensuring
that you preserve the integrity of the files at all times using appropriate methods, and
prove the integrity has not been compromised when your analysis is complete. This
is an important part of the coursework and any forensic investigation so do not forget to do
this. Continue taking contemporaneous notes whilst doing each step of this.
3. Collect and preserve all artefacts you locate during your investigation using appropriate
methods.
4. Analyse all artefacts you have collected, keeping their integrity and prove it is intact.
5. Write up what you have found during your analysis. Ensuring you are writing your report
for the non-technical executives – state the technical then explain what that means in non-
technical UK English, showing you understand what you are explaining.
6. Write up your recommendations to the non-technical executives . You need to tell them
what steps to take to secure the network, mitigating any current issues (if there are any)
and to preventing further issues. Think about the language you need to use here and also
what will help them understand your recommendations so they can easily approve them.
7. In your appendices, Appendix A should be Harvard format References, you can use as
many appendices as you require, however each appendix should only contain one item
and it should be labelled clearly with what is presented in the appendix. Any screenshots
used should not be cropped and should cover as much of the page as possible (keep their
size ratio by making larger using the corners not the sides). Please use the tools within
Word to help you highlight areas you are referring to.
8. If you run in to an issue or are stuck it is your responsibility to ask for support – do this
as soon as you can to avoid further delays. You should go back over all your coursework
instructions to try and see if you can sort out the issue yourself but if you have tried and
something is still not working then you should email the module leader ASAP or attend
office hours.
Page 3 of 10
Confidential Document
Instructions to: CTI NF Team
Distribution: CTEC3424_2023_502
Date: Friday 24th February 2023
Particulars of the case:
Lesta Recruit are a local recruitment agency, with a small number of employees operating
out of their office in the city centre.
A company director was contacted by the company’s Internet Service Provider last year,
they reported some suspicious activity. The Lesta Recruit directors are not technical and
have asked you to assist them with investigating the issues, they have been trying to get
the issues resolved for the past 12 months but they have not been able to sort it internally
so they have now decided to outsource it.
The potential issue was reported by phone to the company director, who did not really
understand what the issues was and can only remember that it might have something to
do with malware communication. The Internet Service Provider want to cut the company
off from the Internet, which would be disastrous for the company, and is of great concern
to the company directors who are very worried.
You have been contracted to the company to assist, investigate and to provide a report of
your findings with your recommendations to resolve the issue(s).
You have been granted access to their network only for the purposes of your investigation.
You have written permission to perform Network Forensics only. You are not allowed to
change the network configuration or remove any data. If your investigation leads you to
believe any other investigatory activities (such as physical or host forensics, firewall
changes or quarantining hosts) should be carried out, this should be included in your
report as recommended follow up activity.
The company does not have any regular IT staff since the last person left the role 5
months ago and is yet to be replaced. Due to the incident the company directors are about
to contract out their IT support to a local company. Your report may be passed on to allow
any necessary remediation to take place.
Some technical network documentation is available and will be provided, although it
cannot be guaranteed to be accurate or up to date. You will be provided a workstation for
your investigation; you are able to install tools as you require them.
2. A timeline of events.
3. If it looks like there is or has been any criminal activity or UK laws have been broken,
the Lesta Recruit executives will cooperate fully with the police on the matter, so they
wish to be informed if this is the case, any proof of this activity will need to be collected
and preserved as per usual guidelines.
4. If there is anything the company can do to help prevent future issues, or any follow up
investigation activities that you would recommend.
Page 4 of 10
CTEC3424 Network Forensics 2023 Coursework Setup
To enable your investigation, 3 virtual machines have been provided that form the network that
you are investigating. A 4th virtual machine has also been provided to act as your investigation
workstation.
Some minimal configuration is required to import the VMs, and configure networking to build your
own copy of the network.
As configured, the 4 virtual machines will need roughly 16GB of RAM, and should run fine in any
of the CTI labs.
1. Download the entire coursework folder to your P number folder on the D drive of the CTI Lab
machine you will be using, you can either copy it across from the CSC shared folder:
\\146.227.150.4\csc\CTEC3424\Coursework2023
Or you can use the link to Dropbox on Blackboard and download the file to your P number folder.
Page 5 of 10
3. You will then be asked to name the VM and tell it where to store the VM files:
Page 6 of 10
…first check the Network Adapter is set to NAT:
So Network Adapter 2
should use VMnet2 etc.
Page 7 of 10
8. For 2_Syslog Server you will need to change the Network Adapter to VMnet2:
You can also use VMnet4 for any other devices that need to be
connected, should you need to add any other VMs.
Page 8 of 10
Login Details
1_Router
User: root
Password: admin9983
2_SyslogServer
User: dmu
Password: admin9983
3_Web Server
User: dmu
Password: admin9983
4_Investigator
User: dmu (will appear as ‘Investigator’ at the login screen, but the account username is dmu)
Password: admin9983
Network Map
Page 9 of 10
CTEC3424 Coursework Marking Grid 2023
<40% Fail 40-49% 3rd 50-59% 2:2 60-69% 2:1 70%+ 1st
1. A suitable report A report was attempted A report has been written A structured report has A well-structured report A very well-structured
has been produced but it might have not been with some headings and been written, with good has been written, with report has been written,
for the given structured appropriately. sub-headings. use of headings and sub- good use of headings and with excellent use of
Little or no use of headings. sub-headings. headings and sub-
audience.
headings and sub- The written style is mostly headings.
headings has been made. suitable for the given The written style is The written style is very
30 Marks Max audience. It could be too suitable for the given suitable for the given The written style is
The writing style might technical or not detailed audience, containing audience, and provides extremely suitable for the
have been hard to follow enough in places. mostly non-technical detail but explains things given audience and
and not suitable for the language and provides a well in non-technical provides excellent detail
given audience in mind. suitable amount of details. language. whilst explaining things in
non-technical language.
2. Digital artefacts Little demonstration of An appropriate technique Appropriate techniques Appropriate techniques Appropriate techniques
have been preserving digital has been used to have been used to have been used to have been used to
preserved, analysed, artefacts appropriately. preserve at least one preserve the digital preserve and prove the preserve and prove the
digital artefact. artefacts. artefacts have not been artefacts have not been
and interpreted in
Little analysis has been modified. modified.
relation to a given made of any artefacts, so One or more artefacts will Artefacts will have been
scenario using a no interpretation has been have been analysed analysed and their Artefacts will have been Artefacts will have been
research-based made. although their meaning or meaning and significance well analysed and their analysed and their
approach. significance in relation to in relation to the meaning and significance meaning and significance
Or an analysis was the investigation, might investigation will have in relation to the in relation to the
35 Marks Max attempted, and it was not have been made been discussed fairly well. investigation will have investigation, has been
completely incorrect and clear. been discussed very well. discussed extremely well.
had no relation to the A timeline has been
assignment. Some mention of a created and it has been A timeline has been A timeline has been
timeline should be made used to help analyse the created and it has been created and it has been
There is no mention of a explaining how it would artefacts. used well to help analyse used very well to help
timeline. support the investigation. the artefacts. analyse the artefacts.
3. Specific Recommendations may Recommendations to Some recommendations Some good Some excellent
recommendations have been made but they mitigate future issues or have been made to recommendations have recommendations have
have been are incorrect for the given further investigation have mitigate issues or for been made to mitigate been made to mitigate
scenario. been made, but they follow up activities, that issues or for follow up issues and for follow up
researched and
might be more general are suitable for the given activities, that are specific activities, that are very
presented rather than specific to the audience and scenario. for the given audience specific for the given
appropriately. given scenario. and scenario. audience and scenario.
35 Marks Max
Page 10 of 10